A small, rural hospital contracted with an emergency medical group for emergency department (ED) coverage. The group was paid monthly by EFT from the hospital’s account to the ED group’s account.
In June, the hospital received an email invoice from the ED group with instructions to send payment to a new account. The hospital sent the $200,500 payment to the new account on July 10.
On July 12, the payment was returned because the new account was frozen. On July 16, the ED group emailed new account information and instructions to the hospital. The hospital sent the $200,500 payment to the new account.
In early August, the ED group sent the next monthly invoice by email with instructions to send the funds to another new account. The hospital sent the $206,500 payment on August 13.
It was later discovered that the requests to send the funds to the new accounts were fraudulent. The ED group never sent the emails requesting EFT account changes. The cyber criminals who sent the fraudulent emails and set up the accounts ended up collecting $407,000 from the hospital.
When the hospital discovered that the money had been sent to an invalid account, the loss was reported to the hospital’s insurance agent and cyber liability carrier. The hospital was advised to take the following steps.
- File a complaint with the local police department.
- Submit a complaint to the FBI’s Internet Crime Complaint Center (IC3).
- Contact the bank’s fraud department to flag the transactions as fraudulent.
- Contact the local FBI office.
After the incident, the hospital began using the following fraud prevention measures.
- A change in policy that requires all wire transfer procedures to have oral confirmation from vendors and contractors if there are any changes in payment instructions.
- Managers are now required to send emails using two-step account verification procedures.
- Employees in the IT, Finance, and Revenue Cycle Departments attend required training on cyber security and cyber fraud risks.
Risk management considerations
Social engineering typically involves a hacker using a compromised business email account to request money, passwords, banking information, or personally identifying information from the holder of the compromised account. The victim is deceived into thinking the request is from a legitimate source, such as a friend or a financial institution with whom the victim has a business relationship. (1)
In this case, the hospital fell victim to a social engineering fraud through a phishing email. The compromised ED group email requested money through multiple wire transfers, tricking the hospital into sending $407,000.
The following practices can help combat phishing attacks.
- Be suspicious of emails from unknown sources, especially those requesting sensitive information or stressing the urgency and importance of the request.
- Train employees to recognize suspicious emails and forward them to someone who manages cyber security.
- Establish an incident response plan to initiate in case a phishing attack is successful.
- Use technology to detect and test emails for malicious content.
- Require multifactor authentication.
- Conduct regular security training for employees and provide testing to ensure understanding.
- Follow your instincts, and always report suspicious emails. (2)
1. International Risk Management Institute. Glossary: Social engineering. Available at https://www.irmi.com/term/insurance-definitions/social-engineering. Accessed September 16, 2019.
2. Department of Health and Human Services. Health industry cybersecurity practices. Available at https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf . Accessed September 16, 2019.